On Tuesday 18 December 2007, Jim Fulton wrote: > > If we register "absolute_url" in a layer which isn't > > used in a skin, then this view is not available as > > traversable view because of the missing layer/named skin > > configuration. > > Which does nothing to "protect" you from components registered for the > default layer or for IBrowserRequest.
Yes, because in our code we never ever expose the registrations in the default layer. We consider that layer hostile. :-) (Eventually we hope to rid ourselves from even importing any configuration that registers into the browser layer, but the Zoep packages need some refactoring to do this in a sane way.) IBrowserRequest is a big problem, since it is the base interface for all layers. I used to scan the ZCML for components registered for IBrowserRequest. I have not done this in a while, but should make it a habit again. I hope that security analysis tools, such as z3c.securitytool will eventually help us identify those problems. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )